IEC 62304 §5.3.3 SOUP specification and ISO 13485 §7.4.1 purchasing controls — license identification has long been part of SOUP documentation; this formalizes the compliance strategy requirement.
FDA treats restrictive copyleft (GPL/AGPL) as security risk — compatibility analysis and copyleft isolation strategy are expected submission artifacts.
Copyleft isolation or linking strategy for GPL/LGPL/AGPL components, fulfilled attribution notices in product documentation, and pre-adoption license review gate — missing compliance strategy for copyleft components is a moderate-severity gap.
Maps to
ISO 13485: §7.4.1 Purchasing process
Pre-QMSR Part 820 (legacy QSR): §820.50 Purchasing controls.
IEC 62304: §5.3.3 Specify functional and performance requirements of soup item
Requirement text
The manufacturer shall identify, evaluate, and comply with the license terms of all open-source software components used in the medical device software. A license inventory must be maintained, license compatibility must be verified, and attribution requirements must be fulfilled. License obligations that could affect the proprietary status of the device software (e.g., copyleft provisions) must be identified and managed.
Why this clause exists
A copyleft license that requires source disclosure for combined works, applied to software incorporated into a proprietary medical device without a compliance strategy, creates a legal encumbrance that can prevent the manufacturer from lawfully distributing or modifying the device software — including applying emergency security patches. FDA views restrictive copyleft licenses as a cybersecurity risk specifically because a manufacturer obligated by GPL or AGPL terms it has not fulfilled may face legal exposure that blocks or delays patch deployment, converting a license-compliance gap into a patient safety gap. The attribution failure mode is more routine but structurally similar: unfulfilled attribution requirements generate downstream legal liability that can interfere with commercial distribution, creating a risk materialized through a routine compliance omission rather than a deliberate security decision. The pre-adoption review gate requirement reflects the principle that license risk is easiest to manage before a component is incorporated — retroactively replacing a dependency that drives copyleft obligations through a widely-integrated transitive chain is significantly more disruptive than evaluating the license at the point of first adoption. IEC 62304 section 5.3.3's purchasing-controls framework encompasses license evaluation as part of specifying what a SOUP item is and what obligations it carries, placing license compliance within the same traceability structure as functional and performance requirements.
What changed
The FDA's September 2023 final guidance replaced the October 2014 draft and represented a fundamental shift from voluntary best practices to mandatory, enforceable requirements backed by Section 524B of the FD&C Act (added by FDORA, enacted December 29, 2022), which became effective March 29, 2023. FDA's transitional non-enforcement policy ended October 1, 2023; submissions received after that date missing required cybersecurity documentation receive Refuse to Accept (RTA) letters.
Section 524B created new statutory requirements for 'cyber devices' — any device that includes software, has the ability to connect to the internet, and contains technological characteristics that could be vulnerable to cybersecurity threats. Manufacturers must submit: a plan for postmarket vulnerability monitoring and patching, evidence of secure development processes (SPDF), and a machine-readable SBOM in SPDX or CycloneDX format including transitive dependencies and end-of-support dates.
FDA can now refuse to accept (RTA) premarket submissions lacking adequate cybersecurity documentation. Since October 2023, there has been a 700% increase in cybersecurity-related deficiency letters, with an average of 15 deficiencies per letter when cybersecurity is cited. Threat modeling deficiencies appear in a majority of these letters. The SBOM requirement goes significantly beyond the 2014 guidance — binary analysis is expected to find hidden components, and SBOMs must be continuously maintained, not static snapshots.
Common gaps (what we see in audits)
- License compliance unmanaged for medical device software — Open source components are used without tracking license obligations. Copyleft licenses (GPL, LGPL, AGPL) are included without compliance strategies. FDA views restrictive licenses as a security risk if they prevent the manufacturer from modifying or patching code in an emergency. Attribution requirements are not fulfilled.